ThreatSTOP Blog

ThreatSTOP blocking Shellshock (Bash) scanners

Written by francisturner | September 27, 2014

Over the last 36 hours ThreatSTOP has identified a number of hosts that are attempting to scan for (and then exploit) the Shellshock bash vulnerability. We are actively identifying these miscreants through (failed) attacks against our servers, detection by our honeypots, and data received from malware researchers we work with.

These addresses have been added to a new expert mode target list called “shellshock” as well as to our standard mode “UNIX SERVER” target list.

We recommend that any of our users who have servers exposed to the Internet implement these target lists. If you are a Standard user, you should already be using the UNIX SERVER list if you have unix or linux servers that allow connections from the Internet. If you are an Expert Mode user, you should add the shellshock list to your policies that are used on Internet facing servers.

This list is currently around 700 entries and growing fast. We were blocking many of these even before we focused on detecting shellshock exploit attempts. As we noted in our blog posts about Heartbleed, we have been blocking a number of attacks simply because they are coming from IP addresses that are well known to us as attackers.

The shellshock vulnerability is a serious vulnerability in the GNU bash shell that runs on linux and unix based systems (this includes Apple, BTW). The vulnerability allows for arbitrary code execution in bash by setting specific environment variables. This weakness allows for installation of reverse shells and other malware on internet facing servers. The bug affects web servers which run shell scripts from CGI, and SSH servers, but could also be exploitable by other protocols such as DHCP. The vulnerability is being actively used to compromise webservers and build botnets that can attack other parts of the Internet.

ThreatSTOP recommends that all our users also apply the patches provided by the various Linux distributions to all Internet facing hosts as soon as possible. Many other security firms such as Websense are blogging about this, and many of them have useful tips. Only those who, like us, can actually provide blocks against inbound attackers are able to protect their customers from this threat. Anti-Virus, Web filtering and other host based or outbound only technologies provide no protection against this threat.

About ThreatSTOP
ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router. Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/